Rule can not detect sql injection in json field #3978
Description
Description
I'm use this request body and waf not detetcted sql injection.
{
"action": "list",
"page": 1,
"status": -1,
"manager": 0,
"text": "') AND (SELECT 1970 FROM (SELECT(SLEEP(5)))pQyY)-- pLgG",
"section": 0,
"category": 0,
"get_category": true,
"page_type": "education"
}
Logs
---H7Yy7vk1---A--
[12/Jan/2025:10:28:13 +0330] 173666509343.662374 85.185.85.198 42806 85.185.85.195 443
---H7Yy7vk1---B--
POST /ticket/tickets.php HTTP/1.1
sec-ch-ua-mobile: ?0
Origin: https://zzz.xxx.ccc
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Sec-Fetch-Mode: cors
Connection: keep-alive
Sec-Fetch-Dest: empty
Referer: https://zzz.xxx.ccc/ticket/tickets.php
sec-ch-ua-platform: "Linux"
Cookie: PHPSESSID=61vnl8q8ulf726xxxxxxxxxxxxx
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=UTF-8
Accept-Language: en-US,en;q=0.9,fa;q=0.8,de;q=0.7,ar;q=0.6,es;q=0.5,hr;q=0.4,da;q=0.3,zh-TW;q=0.2,zh;q=0.1,tr;q=0.1'
Accept: */*
Cache-Control: no-cache
Postman-Token: fc8247e8-868c-xxxx-yyyy-36abf208c33b
Host: zzz.xxx.ccc
Content-Length: 239
---H7Yy7vk1---C--
{
"action": "list",
"page": 1,
"status": -1,
"manager": 0,
"text": "') AND (SELECT 1970 FROM (SELECT(SLEEP(5)))pQyY)-- pLgG",
"section": 0,
"category": 0,
"get_category": true,
"page_type": "education"
}
---H7Yy7vk1---D--
---H7Yy7vk1---E--
\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03\xddV\xcbn\x830\x10\xfc\x15\xe4s"\x81!\x81\xf0+i\x14Y\xb0\xa4\xa8\xe1QlW\x8a\xa2\xfc{w\xed\x80\x1d\xd4H\x95\xda\x03\xede\xc13\xbbk\xcf`\x0cW&\x95PZ\xb2\x9cI]\x14 %[\xb1R(\xc1\xf2++\x84\x82S7\\xe8\xfe\KEW\x9eQ\xacK\x96\xf3l\xc5T\xad\xce\x80\xb5/:\xdc\xf2\x94b\x12Q\x8c\xb9C\x8a\xc2 I`.\x99\x89\x91K\xb54\x178\xef\xd0\x99fR\xe9\x12Z\x85\x80\x960 \xf0\x0a\xa2\w\xd5\xfa4t\xbaG\xd8\xad\x8bA\xa9qTw-\xc2\x12\x0as\x97\xa7\xb8\xb0KO\xadT]\xbc\x01u\x12H} \xa2\x06\x0d\xc8\xc2\xd0\x90d\xd2\x0a\xb2\x18\xea\xde\x16\x12\xd0\x8bK\x83\xb3\x1fm\x87\xf0\xb6b|7I\xde\xcd$\x0b\xa3F8\x1dw\xb1\x91\x15\x1b;\x17\xe2\x9d-0\x840\x83$\xf1\xe8x\xb9\xfa\xe3p\xd4\x1f\x87\xbf\xa3?\xc9\x02W~\xe7\xfd\xcd\x00\x81\xb7\xa16^j\xe9\xe1\xdb\x05;\x16M\x8eE\x8f\x8e\xa5\xe0\xbf\x12V\x87\x89\xa9S\xc6\xab\xc0\xdf\x18s\xa7F\xbar\xb6-z\xf7\xf0\xc9\x0b\xfeS/"\x8f\xb8\xa7\xfe-/\xe2\xc9\x8b\xf8\xcb\xc3s\xeb\x1ev\xc2\x9f\xb9\xc0\x03\xcf\xab\x8d}\x9f|\xf7\xfe\x95c\xc9\xe4X\xf2\xe8\x98\x7f\xb8\x8c\xa7\xceRu\xdc\xbc\xc6W\x96\x8e\x92\xd2\xd9\x1e\xe0\xf3'j?\xa3\xe8\xc1\x93\xf5Rc\xd2w\x1c\xbf\xceU}V$w\x7f@'@\xf6]+a\x1c\xbdk\xa0\xa4\xfda,\xf2\x96\xf4\xbd:,\xb4\x13\x11\xd1\x88V\x9c\xa8\x86\xec@\xa6\xc1\x7f\x07\x04\xa4\xc9\xfc\x04!\x8d\xb4WW\x08\x00\x00
---H7Yy7vk1---F--
HTTP/1.1 200
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding: gzip
Connection: keep-alive
Vary: Accept-Encoding
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 428
Date: Sun, 12 Jan 2025 06:58:19 GMT
Server: nginx/1.22.1
Permissions-Policy: geolocation=(self),midi=(self),sync-xhr=(self),microphone=(self),camera=(self)
---H7Yy7vk1---H--
---H7Yy7vk1---I--
---H7Yy7vk1---J--
---H7Yy7vk1---Z--
Your Environment
- CRS version (v4.11.0):
- Paranoia level setting (default - not change) :
- ModSecurity version (v3.0.13):
- Web Server and version or cloud provider / CDN (nginx-1.22.1):
- Operating System and version: linux (debian 12)
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.